Interested in this topic? Visit the links below for more resources:
Visit The IIA’s website or YouTube channel for related topics and more.
00:00:02 The IIA
The Institute of Internal Auditors presents All Things Internal Audit Tech.
00:00:06 The IIA
In this episode, Adam Ross is joined by Felipe Ribeiro and Julian Perelt to discuss how supply chain risk has evolved into an interconnected, enterprise-wide challenge.
00:00:18 The IIA
They discuss where organizations underestimate exposure.
00:00:21 The IIA
and why internal audit is uniquely positioned to identify blind spots before disruptions escalate.
00:00:28 The IIA
The conversation spans real-world examples from agriculture and highly regulated businesses, third-party risk, continuous monitoring, and the growing impact of automation and AI on supply chains.
00:00:43 Adam Ross
I'm joined by two leaders in the industry.
00:00:47 Adam Ross
One is an internal auditor and one specializes in supply chain risk management, working directly with management to help manage some of these supply chain risks and implement the risk management and control activities that we'll be talking about today.
00:01:00 Adam Ross
And with that, why don't we go ahead and dive right in.
00:01:03 Adam Ross
And Felipe and Julian, let's get started with something broad.
00:01:07 Adam Ross
And Felipe, I'd love for you to chime in on this first.
00:01:10 Adam Ross
When we talk about supply chain risk today,
00:01:13 Adam Ross
It feels very different than it did even a few years ago.
00:01:16 Adam Ross
What do you think has changed the most, and why should internal audit be paying more attention now than previously?
00:01:22 Filipe Ribeiro
That's a great place to start, actually, because I do believe that supply chain risks today is totally different from what it was even five or six years ago.
00:01:30 Filipe Ribeiro
I believe that back then was mainly seen as a logistic issue rather than something else.
00:01:35 Filipe Ribeiro
Nowadays, the reality has changed.
00:01:38 Filipe Ribeiro
The supply chains have become more deeply interconnected, ecosystems.
00:01:42 Filipe Ribeiro
Risk doesn't sit only in trucks and parts anymore.
00:01:45 Filipe Ribeiro
It sits end to end with supplier selections, contract structures, data qualities, cyber exposure, and most of the cases, geopolitical dependencies.
00:01:55 Filipe Ribeiro
Those risks have moved from what I used to call before operational inconvenience to what we now call for more strategic business risks.
00:02:03 Filipe Ribeiro
That's where I think we internal autos, we play an important role nowadays.
00:02:07 Filipe Ribeiro
We are only one of the functions of the company that can see all of these risks interconnected and to proper assess how it can impact the operation.
00:02:16 Filipe Ribeiro
So our role is not longer just to reveal controls after something goes wrong, but it's to challenge assumptions before it happens.
00:02:24 Adam Ross
I love your phrase that moving from an operational inconvenience to a more strategic risk that certainly warrants a lot more attention than it has in the past.
00:02:32 Adam Ross
Julian, interested in your thoughts on what's changed over the last couple of years.
00:02:36 Julien Perreault
Yeah, agreed with Felipe 100%.
00:02:37 Julien Perreault
I mean, it's definitely become a much more systemic part of supply chains, understanding whether there's a weather event, labor strikes, a supplier bankruptcy, were one of your key components.
00:02:49 Julien Perreault
You really need to understand where those risks were treated as exceptions historically, you know, are now being managed
00:02:56 Julien Perreault
through contingency plans.
00:02:58 Julien Perreault
You need to make sure that those aren't exceptions, but it's more the operating environment that you control today and making sure that you have strong escalation paths to really make sure you're making the right decisions moving forward.
00:03:11 Adam Ross
Totally agree with that.
00:03:12 Adam Ross
Julian, as we build on that kind of the current state of supply chain risk, maybe you can talk a little bit about where organizations most commonly underestimate supply chain risk.
00:03:22 Adam Ross
And where do things look good on paper when someone says, don't worry, we got this, but then in actuality, really maybe not as good as we had all hoped it would be.
00:03:33 Julien Perreault
100%.
00:03:33 Julien Perreault
I think the big issue is organizations get into this lull where they see that performance appears to be stable and well-documented.
00:03:40 Julien Perreault
So they're looking at their dashboards and the KPIs are all green.
00:03:44 Julien Perreault
You have key contracts in place with not only just your key suppliers, but all of your suppliers.
00:03:49 Julien Perreault
And the risk register shows moderate exposure.
00:03:52 Julien Perreault
that usually organizations feel like it shows reliance, but many of these mechanisms are looking backwards, right?
00:03:58 Julien Perreault
So what happens when that KPI goes from green to yellow or jumps from green to red?
00:04:05 Julien Perreault
You know, it's explaining what's already happened in the past, but not looking at about what is going to fail in the near future.
00:04:12 Julien Perreault
I think there's a lot of issues within planning specifically, right?
00:04:16 Julien Perreault
Forecasts are often treated as commitments.
00:04:18 Julien Perreault
Capacity is assumed rather than stress tested.
00:04:21 Julien Perreault
and inventory strategies are optimized for efficiency rather than variability, which is a big problem that we see today.
00:04:28 Julien Perreault
These assumptions generally hold during stable periods, but unravel very quickly under stress.
00:04:33 Julien Perreault
And how can that stress be mitigated by the organization moving forward?
00:04:37 Adam Ross
Wow, you hit on three really articulate items there, where it sounds like the underlying cause of potential issue is the assumption that things are going to happen
00:04:48 Adam Ross
as they historically have, or you might expect them to be.
00:04:52 Adam Ross
But the reality is always, but more so in today's ever-evolving environment, that there is a level of volatility and unpredictability that organizations probably need to be a little bit better prepared for and frankly acknowledge and incorporate into their modeling.
00:05:07 Julien Perreault
Absolutely.
00:05:08 Julien Perreault
And I think it's also another issue that organizations have is what's the behavior of your organization when a risk incident happens or an exposure happens, right?
00:05:18 Julien Perreault
A lot of times people will find solutions to those problems locally to make sure that operations are moving.
00:05:25 Julien Perreault
Planners will look at the forecast and override it.
00:05:27 Julien Perreault
Logistics teams will expedite freight.
00:05:30 Julien Perreault
Finance will tolerate an exception.
00:05:32 Julien Perreault
Independently, these decisions are rational and make sense to keep the business moving, but collectively, if they are unmanaged, they create a massive enterprise risk.
00:05:43 Julien Perreault
The organization absorbs risk informally without acknowledging it or governing it.
00:05:47 Adam Ross
Felipe, coming back to you, and really wanted to lean into your industry experience in agricultural.
00:05:53 Adam Ross
You've had the opportunity to audit across the agricultural value chain.
00:05:57 Adam Ross
Can you maybe share an example where a risk early on
00:06:01 Adam Ross
like farming, sourcing, or inputs, seems pretty minor or insignificant, but quietly grew into a much bigger issue downstream.
00:06:09 Filipe Ribeiro
Yes, for sure.
00:06:10 Filipe Ribeiro
And this actually happens more often than people realize, especially in agriculture.
00:06:14 Filipe Ribeiro
I like to say that I had the privilege to live in certain different countries and continents.
00:06:18 Filipe Ribeiro
And earlier in my career, when I was working a project in South America, at the beginning of the season, of the agriculture season, everything looked pretty much fine.
00:06:26 Filipe Ribeiro
The contracts were signed, the supplies were approved,
00:06:29 Filipe Ribeiro
pricing was locked in.
00:06:31 Filipe Ribeiro
Apparently, the supply was totally secured.
00:06:34 Filipe Ribeiro
But what was not fully visible for us, however, at that time is that several of these suppliers were just relying in one single source of inputs on the upstream part of the business.
00:06:46 Filipe Ribeiro
And, you know, when certain geopolitical restrictions arose on the country at that time, impacting the logistics and great certain bottlenecks,
00:06:54 Filipe Ribeiro
The deliveries did not stop, but they were delayed.
00:06:57 Filipe Ribeiro
At the first moment, it didn't seem critical, but you know how agriculture is.
00:07:01 Filipe Ribeiro
It's extremely timely sensitive, and missing a treatment window by even a few weeks can deeply affect the yields.
00:07:08 Filipe Ribeiro
And that early delay quietly reduces the outputs, of course.
00:07:12 Filipe Ribeiro
Not enough on the beginning to trigger certain alarms, but enough to create a gap.
00:07:17 Filipe Ribeiro
The gap that months later appeared on the downstream part of the business with lower volumes entering on inventory, processing plants downtimes, higher logistic costs, inventory locations, and also, of course, customer commitments being renegotiated.
00:07:34 Filipe Ribeiro
And what has started is just a small upstream delay.
00:07:37 Filipe Ribeiro
ultimately affected the yield, the production planning, the customer fulfillment, and also their margins.
00:07:42 Filipe Ribeiro
I believe this is a good example how the supply chain risk often doesn't explode immediately, but it accumulates silently over the time.
00:07:52 Adam Ross
Was there any time when internal audit got involved or became aware of the issue?
00:07:57 Adam Ross
And if so, what role did internal audit play in helping management navigate the risk or do something post-mortem?
00:08:06 Filipe Ribeiro
Actually, at the time, we used it to work as a continuous monitoring audit department, and we start to notice this issue when the numbers across the value chain stopped telling the same story.
00:08:18 Filipe Ribeiro
Upstream, the procurement, and as Julian said, everything on the dashboard was showing green, the contracts fulfilled, the suppliers were marked as compliant.
00:08:26 Filipe Ribeiro
But downstream, the production forecasts were being adjusted frequently, the logistic costs were creeping up, the inventory plans were being adjusted more often than usual.
00:08:36 Filipe Ribeiro
Individually, none of these signs would seem so alarming at the beginning, but when you start to overlay them, like the procurement timelines, the yield expectations, and even the planning assumptions, the logic just broke and we start to identify some patterns and red flags.
00:08:53 Filipe Ribeiro
The input had arrived on the paper, yet on the fields, it was telling a different story.
00:08:59 Filipe Ribeiro
That's when they turned out to realize that the issue wasn't a supplier failure or a control breakdown in isolation, but it was much more
00:09:06 Filipe Ribeiro
or a timing risk hidden between functions, delays that were somehow operationally absorbed, but economically accumulating over time.
00:09:15 Adam Ross
Julie, maybe you can talk a little bit about where some organizations commonly believe they have good visibility into their supply chain and the predicted performance, but then often don't.
00:09:25 Adam Ross
And what is some of the data points that might help improve that visibility to address the issue that Felipe just, either to address the issue Felipe just identified or another similar one?
00:09:35 Julien Perreault
I mean, I think organizations, once again, feel they get into that sense of complacency once they have strong visibility into, you know, orders, inventory level, shipment, supplier performance, and metrics.
00:09:46 Julien Perreault
But again, that's all historical looking data and information.
00:09:50 Julien Perreault
And
00:09:50 Julien Perreault
Even with the rise of AI and analytics to estimate and game the system of where this could happen in the future, it's not all that great yet.
00:10:01 Julien Perreault
And a lot of organizations just, like I said, rely heavily on that historical data.
00:10:06 Julien Perreault
I think the real blind spot is the dependencies, the capacity, and time.
00:10:11 Julien Perreault
Organizations often don't understand how dependent
00:10:14 Julien Perreault
their products, their plants, and their regions are on the same inputs and infrastructures, right?
00:10:19 Julien Perreault
So there's that concentration of supplier knowledge, resources that really they don't focus on or look at as heavily because again, the visibility is there.
00:10:30 Julien Perreault
They think they have the information available at their fingertips to look at when something poorly is going to happen.
00:10:37 Julien Perreault
but you don't know what you don't know.
00:10:39 Julien Perreault
And if that information isn't being fed into your organization one way or another, you're not going to know what that risk is really going to have on your organization.
00:10:46 Adam Ross
So true.
00:10:47 Adam Ross
Felipe, going back to you, talked about the internal audit functions, continuous monitoring, which also helped to bring to light some of the struggles that were kind of evolving and expanding pretty quickly.
00:11:00 Adam Ross
Can you maybe talk just a little bit more about what continuous monitoring was being performed?
00:11:06 Adam Ross
Is it specific controls or were you just monitoring kind of production performance and seeing the slippage in scheduling?
00:11:14 Adam Ross
Although everything was flashing green all the way upstream, when it actually came to manufacturing and fulfillment, things were starting to slip, it sounds like.
00:11:22 Filipe Ribeiro
At that time, the corporate governance layers were pretty much structured with the trade defense line models in place.
00:11:28 Filipe Ribeiro
And then we had some KPIs alongside all of the departments.
00:11:34 Filipe Ribeiro
And it was a business with the upstream and downstream part.
00:11:37 Filipe Ribeiro
It was really well integrated.
00:11:39 Filipe Ribeiro
So we had access to all of the KPIs and certain of these KPIs were connected to certain triggers that would generate alerts for us in case of something went out of our thresholds.
00:11:50 Filipe Ribeiro
And it was pretty much interesting because it's exactly as I was saying, in one part of the business, you can see that everything was flagged perfectly.
00:11:58 Filipe Ribeiro
And on the other part, you could not see this reflex happening on the real operational reality.
00:12:04 Filipe Ribeiro
In most of the cases, as we know, when we work with continuous monitoring, it's still a challenge to eliminate certain false positives and it still takes some time to clear all of the data.
00:12:14 Filipe Ribeiro
But the data will keep showing and showing and showing.
00:12:17 Filipe Ribeiro
You already had the indication that something had happened in the past.
00:12:20 Filipe Ribeiro
So for us, it was kind of easy to connect the root cause with what was being shown on the dashboards.
00:12:26 Adam Ross
I appreciate that.
00:12:26 Adam Ross
And fortunately, that information was available because it does seem like many organizations struggle with data quality.
00:12:33 Adam Ross
And the fact that you had good data to start with, hopefully, even though it turned into a bigger issue, it could have been an even worse issue if the data wasn't there to help kind of navigate the challenge and course correct where appropriate.
00:12:46 Adam Ross
Felipe, also sticking with you, just wanted to talk a little bit about certain supply chain considerations
00:12:54 Adam Ross
And I think this is applicable to many organizations, whether they manufacture a product or otherwise, but there's many industries and product categories that have supply chains that are either remote, extremely capital intensive, and or highly regulated.
00:13:08 Adam Ross
And maybe you can talk a little bit about risk in those environments that can be specifically challenging for internal audit.
00:13:16 Adam Ross
What makes them challenging and how can internal audit best respond to some of those challenges?
00:13:20 Filipe Ribeiro
I think in this type of organization, the biggest challenge that all of these risks happen on the same time, because our type of operations that are usually operating far away from cities, ports, and basically infrastructure.
00:13:32 Filipe Ribeiro
So when something goes wrong, there is usually no plan B, or when there is a plan B, it's hard to test under our pressure situation to proper assess if control we perform correctly or not.
00:13:43 Filipe Ribeiro
And when the production is at risk, the decisions change, right?
00:13:47 Filipe Ribeiro
The priority becomes keeping the planting running.
00:13:50 Filipe Ribeiro
That's when you start seeing the emergence procurement, manual workarounds, and also some cases where the controls are even bypassed.
00:13:58 Filipe Ribeiro
I like to say that in theory, the governance looks strong, but we know that urgency usually wins.
00:14:04 Filipe Ribeiro
And there is also a cultural layer that I would like to add here, is that specifically in these remote areas, these sites depends heavily on the local contractors and certain informal ways to keep the production moving.
00:14:18 Filipe Ribeiro
Operationally, it works, but they don't always fit nicely into governance frameworks.
00:14:24 Filipe Ribeiro
So that's why internal audit is, the challenge usually isn't finding risks, but it's try to understand how the business actually behave when things go wrong and how we can mitigate these risks in a way to not stop the business and to guarantee that we are proper fulfilling the governance frameworks.
00:14:42 Adam Ross
Yeah, I've heard some stories, especially where there's source materials coming from remote locations.
00:14:48 Adam Ross
And I think many of us as internal auditors, sometimes we're a little more comfortable or we expect a bit of a corporate feel for how work gets done.
00:14:59 Adam Ross
But when you're out in the field with a pick and you're mining something and you're working really long hours and days and there's physical safety, people do certain things that maybe it's a little bit different than what you might do if you're an accounts payable clerk sitting in a desk in a corporate location.
00:15:17 Adam Ross
And sometimes it's hard for us as internal auditors to just understand that certain procedures, certain behaviors, certain relationships need to evolve.
00:15:25 Adam Ross
They still could be reasonably controlled, but it just might not be the way we're most commonly used to seeing as internal auditors where we're sitting in a comfortable office that's air conditioned and all those things.
00:15:35 Adam Ross
So I certainly appreciate that.
00:15:36 Adam Ross
One other topic I wanted to think about here briefly, and Julian, I'm going to throw you an audible here in just a moment.
00:15:42 Adam Ross
So I have a client that's in waste management.
00:15:46 Adam Ross
And one of their
00:15:47 Adam Ross
challenges is balancing their regulatory compliance requirement for the secure movement, disposal, permanent storage of these hazardous materials with the highest and best use of their network.
00:16:03 Adam Ross
You know, they might have a facility in Nevada, and they might be picking up hazardous product in Nevada, but that product isn't licensed to process or dispose of that hazardous product, and they have to move it
00:16:14 Adam Ross
to the location that is licensed, which could be Alabama.
00:16:18 Adam Ross
So how, as a supply chain risk specialist, do you balance regulatory compliance with operational efficiency, productivity, and profitability?
00:16:28 Julien Perreault
Yeah, no, it's a great question and something that we see a lot of organizations struggle with.
00:16:33 Julien Perreault
Obviously, you need to be following all of the regulatory requirements within your specific industry.
00:16:39 Julien Perreault
But I think there's a lot of new software that's coming out that allows you to really optimize your supply chain and put in a lot of data, right?
00:16:48 Julien Perreault
If it's a waste management company, they probably have a lot of information on where their clients sit, where that waste has been going historically, what sites can process that kind of waste, and put all that information into those systems to really help look and understand as
00:17:03 Julien Perreault
what is going to be the lowest cost option to get that waste from point A to point B, where it's being processed?
00:17:09 Julien Perreault
Are there any additional licenses that need to be considered if it's going across many state lines?
00:17:13 Julien Perreault
Because obviously not all states are following, there's different rules and regulations in each for how to move those goods across those lines.
00:17:21 Julien Perreault
So I really think that leveraging the technology that has been
00:17:25 Julien Perreault
created the last five to 10 years to really optimize your supply chain network in that regard specifically has really helped a lot with the governance because you can put all that information into the system and it optimizes it to the best of its ability.
00:17:37 Julien Perreault
Now, obviously, with anything AI, it gets you to a certain point.
00:17:41 Julien Perreault
There still needs to be that human in the loop to review everything and make sure that it's working correctly and that there's no errors or assumptions that it made incorrectly.
00:17:49 Julien Perreault
But yeah, I think that's a big portion, a big change in a lot of network distributions
00:17:54 Julien Perreault
that we've been seeing today.
00:17:56 Adam Ross
So we're understanding where the materials historically have come from and best guess on where it might be coming from, the fleet that's available to transport it, the permissible routes to transport it, the facilities and their throughput processing capability when they're licensed to process it, and then making sure obviously you're complying with all the regulatory obligations, whether it be EPA or other departmental, governmental filings, all the paperwork,
00:18:23 Adam Ross
and being able to support the activities while also really trying to maintain profitability of the business and keep every asset as productive as possible to really improve on that.
00:18:35 Julien Perreault
Absolutely.
00:18:35 Julien Perreault
And I think what ultimately what you can kind of find is maybe you have a overperforming site somewhere and an underperforming site elsewhere, and you can reroute potentially some of the work to those other sites.
00:18:47 Julien Perreault
to make sure, to your point, that your assets are being used to the most of their, to the best of their capacity and increasing profitability in that regard.
00:18:55 Adam Ross
So real-time rerouting, which sounds like an awfully cool internal audit to perform if I'm putting my internal audit hat on there.
00:19:02 Adam Ross
So very, very neat, very informative.
00:19:04 Adam Ross
Thank you.
00:19:04 Adam Ross
Julian, sticking with you, want to shift kind of the perspective on supply chain risk, focusing more on kind of the procure to pay side of it.
00:19:14 Adam Ross
So the
00:19:15 Adam Ross
ordering and the invoicing and the receipt and obviously the remittance.
00:19:20 Adam Ross
Where do you see most often supply chain risk showing up in day-to-day operations related to procure-to-pay activities, not just during a crisis.
00:19:28 Julien Perreault
Yeah.
00:19:29 Julien Perreault
And as Felipe mentioned, it usually isn't just this massive blown crisis.
00:19:33 Julien Perreault
Obviously, there are fire drills that happen and all hands on deck to resolve those issues.
00:19:38 Julien Perreault
I mean, we'd love to say that there was never those types of issues in our day-to-day activities, but it always is.
00:19:43 Julien Perreault
But I think more frequently it shows up as kind of that operational noise, right?
00:19:47 Julien Perreault
So there's rush orders, after-the-fact PO approvals, invoices that are sent the day they're due instead of
00:19:56 Julien Perreault
to the AP inbox where like they're supposed to be followed.
00:19:59 Julien Perreault
And then also rush approval and receipt processes to make sure that everything in the system is approved in order to release that payment to the supplier.
00:20:10 Julien Perreault
You know, I think when you step back, these kind of day-to-day operational noises reflect a much deeper issue, and that it's the supply chain and the process is really compensating for broken assumptions rather than correcting them.
00:20:26 Julien Perreault
right?
00:20:27 Julien Perreault
Supply chains are somewhat flexible.
00:20:30 Julien Perreault
And if with them being flexible, they're able to kind of bend when needed.
00:20:34 Julien Perreault
But really, if you don't correct the root cause, you're not really going to solve that problem long term.
00:20:40 Julien Perreault
I think for internal audit specifically, the opportunity is really to take a step back and look horizontally across all the functions instead of vertically within them, which happens more frequently.
00:20:52 Julien Perreault
and asking whether the transactions followed the policy, but really ask why the organization required so many exceptions to operate on a day-to-day basis.
00:21:01 Adam Ross
The increase in exceptions is usually a pretty good indicator.
00:21:04 Adam Ross
When I put my old control tester hat on, I go back to the days where individuals would have the test of 25 and there would be 15 different tick marks to explain why none of the items were an exception, but no two followed the same exact predictable path.
00:21:19 Adam Ross
And I finally came up with this.
00:21:20 Adam Ross
If you need more than two or three tick marks, then it's not a common process.
00:21:25 Adam Ross
I'm making a very broad claim here, but more likely than not, the more tick marks it is, the more different ways transactions are processed and the higher risk of potential failure and just insufficient oversight because you're constantly dealing with the exception and not the normal predictable process.
00:21:41 Adam Ross
Felipe, I'd like to come back to you here and
00:21:45 Adam Ross
Are you aware of a situation where a supply chain disruption revealed a broader governance operating model or broader control weakness that was not previously identified?
00:21:58 Filipe Ribeiro
Yes, I have one example that I've seen that it's when the supply chain planning and the procurement start drifting out of sync.
00:22:05 Filipe Ribeiro
The planning process, most of the case look pretty much solid.
00:22:09 Filipe Ribeiro
The forecasts are approved, the volumes are aligned, and most of the time the capacity assumptions make sense.
00:22:15 Filipe Ribeiro
But in practice, as we know, we all know the demand changes more frequently than the planning cycle can absorb.
00:22:21 Filipe Ribeiro
The procurement teams then have to shift from a planned source into a reactive buying.
00:22:27 Filipe Ribeiro
And this translates much more into spot purchases, short contracts.
00:22:32 Filipe Ribeiro
At the first moment, I believe the leadership doesn't see this as a risk at all because the availability is still maintained, the production continues, and the customers are still being served.
00:22:44 Filipe Ribeiro
But the things happen behind the scenes when the governance starts to weaken.
00:22:49 Filipe Ribeiro
The controls that were previously designed for a planned procurement no longer fit to emergency decisions.
00:22:56 Filipe Ribeiro
And then that's where the exceptions become the routine.
00:23:00 Filipe Ribeiro
And if a disruption eventually hits, and whether it's a logistics or geopolitical or even a supplier failure, the issue starts to become like the issues that the operation model had already shifted from a structured planning to a continuous firefighting.
00:23:15 Filipe Ribeiro
And that's when usually the leadership sees that the resilience, it's not only about having backup suppliers,
00:23:22 Filipe Ribeiro
but it's about the alignment between planning, procurement, data, decision rights, and whether the operating model still works when the conditions are no longer stale.
00:23:32 Adam Ross
Julian, curious if you have any other thoughts or perspectives on that.
00:23:36 Julien Perreault
Yeah, I think another big thing, and I agree 100% with everything you mentioned, and it's really back to that decision-making, right?
00:23:43 Julien Perreault
I feel like within
00:23:45 Julien Perreault
governance models, there's usually clear escalation paths that should be followed when ABC happens, what you need to do.
00:23:51 Julien Perreault
But when there's an event, right, the paths are no longer as clear.
00:23:55 Julien Perreault
Clear, and as I previously mentioned, people start making decisions in little silos to make sure that their operations are running smoothly at that local plant site or for that office.
00:24:05 Julien Perreault
I think it's important that...
00:24:07 Julien Perreault
you surface those one-off approvals decision made, where decisions are being made, and really understand what is the root cause of why they were making those decisions, who was, or who should be responsible for making those decisions.
00:24:21 Julien Perreault
So moving forward, you have your traditional path of escalation, but if there's these exceptions, who needs to actually be involved in the approval process, not making it too cumbersome or too slow, because then you're already delayed and behind and you can't actually get the approval up front and you just have to make the decision yourself
00:24:37 Julien Perreault
to keep the operations up and running.
00:24:39 Adam Ross
So it sounds like delegation of authority is certainly a key item to make sure you have your arms around and there's clarity around escalation, especially when something is becoming a challenge or individuals are not available to work a given potential issue.
00:24:56 Adam Ross
Interesting.
00:24:56 Adam Ross
All right, so Felipe, you and I are going to have a brief conversation, internal auditor to internal auditor here.
00:25:01 Adam Ross
We're going to give Julian a little bit of a break unless he'd like to chime in.
00:25:04 Adam Ross
As we've talked about here, a lot of supply chain risk resides outside of an organization, outside of the proverbial 4 walls within the direct sphere of control.
00:25:15 Adam Ross
And one of the resources available to us as internal auditors is the new third-party risk topical requirement.
00:25:22 Adam Ross
And I'm curious from your thoughts, with those new requirements available, do you see expectations changing for internal audit?
00:25:31 Adam Ross
when it comes to supply chain risk and thinking about risk associated with suppliers and business partners?
00:25:37 Adam Ross
And if so, in what capacity?
00:25:39 Filipe Ribeiro
Yes, definitely, And I believe that the third-party risk is no longer about managing vendors.
00:25:45 Filipe Ribeiro
It's about understanding vulnerability across the value chain.
00:25:49 Filipe Ribeiro
Before we use it to review supply chain suppliers, let's say 1 by 1, did we do due diligence?
00:25:55 Filipe Ribeiro
Is the contract signed?
00:25:57 Filipe Ribeiro
Is the compliance checked?
00:25:58 Filipe Ribeiro
If the answer was yes, the supply was, let's say, considered fine.
00:26:02 Filipe Ribeiro
This approach is not longer enough.
00:26:04 Filipe Ribeiro
I believe that today,
00:26:06 Filipe Ribeiro
a large part of the supply chain risk sits outside of the organization, as you mentioned clearly well on the question.
00:26:11 Filipe Ribeiro
And the expectations for the internal auditors are changing as well.
00:26:15 Filipe Ribeiro
It's no longer about checking individual vendors, but it's about understanding how dependent the business is on its external ecosystem.
00:26:23 Filipe Ribeiro
The third part, life cycle still matters, the selection, the contracting, the onboarding, monitoring, and the exit.
00:26:30 Filipe Ribeiro
But all that now needs to look at how all of these steps are connected and
00:26:36 Filipe Ribeiro
we can work together.
00:26:37 Filipe Ribeiro
It's now for me much more about a business resilience issue.
00:26:41 Filipe Ribeiro
And the internal is expected, I believe, to assess not only whether the control exists, but whether the operating model can withstand with the disruptions that definitely will happen.
00:26:53 Filipe Ribeiro
I like to say that before we had the low likelihood events with high impact, and now we are going to have a lot of small events happening on the same time.
00:27:03 Filipe Ribeiro
And if not a big risk, but that are stressing too much the value chain, and we must be ready for this type of disruptions or interference.
00:27:12 Adam Ross
That's great insights.
00:27:13 Adam Ross
And you hit on something that I believe is
00:27:16 Adam Ross
really, I'll say in vogue right now is this whole concept of enterprise business resiliency of which supply chain risk management and third-party risk management for all organizations, whether they have a tangible supply chain of direct materials for manufacturing or otherwise, is absolutely critical.
00:27:32 Adam Ross
And it's always this balance of making sure you're assessing risk and measuring performance and measuring risk on an ongoing basis quickly and effectively while not slowing down the speed of business.
00:27:44 Adam Ross
Because there's so many different risk domains.
00:27:46 Adam Ross
You talk about geopolitical, we talk about cyber, we talk about fourth party risk, the financial viability of those business partners.
00:27:53 Adam Ross
And most organizations have experts in those different risk areas.
00:27:57 Adam Ross
Each one of them or groups want to have a seat at the table to be able to evaluate.
00:28:02 Adam Ross
And I don't think anyone's trying to keep people out of the conversation, but at the same time, we can't wait six months to make a decision to engage a business partner
00:28:10 Adam Ross
When we got to get product to market, that continues to me seems to be a struggle for all organizations, even those that are regulatorily required to have formal third-party risk management guidelines.
00:28:22 Adam Ross
So I didn't know if you had any thoughts or Julia, maybe you have a thought as well.
00:28:27 Adam Ross
Just how can internal audit help assess the effectiveness of third-party risk governance
00:28:34 Adam Ross
while also acknowledging that the pace and the speed with which business needs to be performed can continue for the business to deliver on its commitments.
00:28:43 Julien Perreault
I think it's a great question.
00:28:44 Julien Perreault
I think the example there, the picture that came to mind with a lot of organizations that have TPRM is like the long Game of Thrones table.
00:28:52 Julien Perreault
And each department is sitting at like kind of each corner of the table, close enough where you can hear each other, but like you have to definitely scream to be able to have a conversation across the table.
00:29:04 Julien Perreault
And
00:29:04 Julien Perreault
I think that's how a lot of organizations handle TPRM today is, you know, each group is siloed and has the things that they need to do, check the boxes, make sure they have the information.
00:29:15 Julien Perreault
But biggest problem is that information generally is not centrally stored.
00:29:20 Julien Perreault
So if you have a financial issue, you need to go reach out to that person specifically who managed the assessment of the financial viability of that supplier or cyber, someone who sits within IT.
00:29:30 Julien Perreault
really bringing those groups together and making sure that you have kind of like a risk classification for the type of suppliers that you're onboarding and having a strong understanding of when an assessment should be completed.
00:29:42 Julien Perreault
What is the frequency?
00:29:44 Julien Perreault
Who needs to really be involved, depending again on that type of supplier?
00:29:47 Julien Perreault
Are they touching systems or are they just a raw material supplier, for example?
00:29:51 Julien Perreault
So I think it's
00:29:52 Julien Perreault
to make sure that the day-to-day operations aren't delayed, having those classifications is really critical so that the right people are having the conversation for each supplier that's being onboarded.
00:30:03 Adam Ross
So having that governance framework handy to allow the, call it the lead person working on this supplier relationship, understands the expectations of the different risk owners
00:30:16 Adam Ross
that might not require them to have to pull in those risk owners per se, if the supplier is meeting the criteria that's been established by the organization.
00:30:25 Adam Ross
So the governance that Felipe talked about earlier is really what's critical in terms of, and maintaining that as well, right?
00:30:31 Adam Ross
Your expectations on 4th party risk might change pretty dramatically.
00:30:35 Adam Ross
Or, you know, in the US here, let's just say it's been an emotional roller coaster with tariffs and sanctions and
00:30:42 Adam Ross
types of things where organizations, one day, it might be completely fine to source materials from country X, but then the next day, sourcing materials from company X might go up by 25% or might not even be permitted anymore.
00:30:53 Adam Ross
And how do we react to that?
00:30:55 Adam Ross
So acknowledging that you have those guidelines and that governance oversight, but that it needs to be flexible to react to real-time actions that are occurring in the world.
00:31:05 Adam Ross
as you can tell, I'm kind of geeking out about this stuff a little bit with you guys here.
00:31:08 Adam Ross
So thank you for indulging me.
00:31:10 Adam Ross
Felipe, starting with you, wanted to go back to kind of our procure to pay conversation here and a little bit more, a little less about financial risk and more operational risk.
00:31:20 Adam Ross
And I didn't know if you had a point of view on how organizations should think about concentration risk when there's limited suppliers for a given source of materials or just who competes in that space.
00:31:32 Adam Ross
but they're so critical to business operations.
00:31:35 Adam Ross
How should organizations think about that?
00:31:37 Adam Ross
How can they best manage some of that concentration risk?
00:31:40 Filipe Ribeiro
Well, I would say that concentration becomes risky when the business loses its ability to react.
00:31:46 Filipe Ribeiro
Limited suppliers are often unavoidable.
00:31:48 Filipe Ribeiro
You can't simply diversify overnight when you have quality specifications, certifications, geography,
00:31:55 Filipe Ribeiro
and most of the cases, certain seasonalities that restrict the market.
00:31:59 Filipe Ribeiro
So the real question that I believe that organizations should be asking isn't, do we have multiple suppliers?
00:32:05 Filipe Ribeiro
But it's much more, how exposed are we if one of these suppliers fail?
00:32:10 Filipe Ribeiro
And that's why concentration risk needs to be assessed end to end, from the orange to the delivery, not just in a contractual level.
00:32:20 Filipe Ribeiro
For an operational perspective, I believe that the organization should treat these critical suppliers almost like part of the infrastructure.
00:32:29 Filipe Ribeiro
If they don't go down, if they go down, the production will stop.
00:32:32 Filipe Ribeiro
That means that concentration should be actively discussed, not only seated on the procurement, but also being involved with the planning and other departments with the company.
00:32:44 Adam Ross
So at a minimum awareness of where your concentration risk resides and talking about it to understand if there are alternatives,
00:32:51 Adam Ross
But recognizing that it's quite possible that there is only one organization or a very limited number of organizations that can supply the product or the materials that are critical, and there might just need to be a level of risk that you just need to be comfortable with if you can't react to that concentration risk, if what I'm hearing correctly.
00:33:11 Filipe Ribeiro
Exactly.
00:33:11 Filipe Ribeiro
And just adding one more layer to this discussion, for example, when you operate in continents such as Africa, it's not easy to reach the final supplier.
00:33:19 Filipe Ribeiro
You need to pass by many intermediates, traders, distributors, and most of them are just connected to the same big supplier.
00:33:27 Filipe Ribeiro
And you need to be aware that certain disruptions can happen, and you need to know
00:33:32 Filipe Ribeiro
when and how you are exposure to that.
00:33:35 Filipe Ribeiro
And I believe that's the biggest point that we need to be aware when we think about this type of concentration risks.
00:33:42 Adam Ross
Julian, any other thoughts on supplier concentration risk?
00:33:45 Julien Perreault
Yeah, I think the key thing is writing, as Felipe mentioned, you get those efficiency gains of usually better pricing, better payment terms, shorter lead times, or some other just-in-time inventory system that you might be able to agree with within the contract.
00:34:00 Julien Perreault
But I think the real issue with concentration is when that efficiency gain turns into fragility for your supply chain.
00:34:07 Julien Perreault
And if you're able to plan ahead, and really one big thing that we've talked with a lot of our clients about is strategic partnerships with those strategic suppliers.
00:34:19 Julien Perreault
Oftentimes it's at a transactional level, I need X amount of goods on this date and here's the PO, send it to me when I need it by.
00:34:28 Julien Perreault
but really, especially in those highly regulated areas, becoming a strategic partner with their suppliers and understanding and getting thought leadership from them as well.
00:34:37 Julien Perreault
They are the ones producing the goods that you need.
00:34:39 Julien Perreault
What are their thoughts and what are their opinions on how the two organizations can collaborate to make sure that you're not just a transactional customer to them, you are now a partner and both organizations can have efficiency gains as well.
00:34:52 Julien Perreault
So
00:34:53 Julien Perreault
at the end of the day, when there is an issue or a catastrophic failure for them as a supplier, you might come to a priority list of still getting products and services where others who are just transactional probably won't.
00:35:04 Adam Ross
Wow, that's great insights.
00:35:06 Adam Ross
You are just kind of shifting how you approach the relationship from transactional to strategic and quote, you know, or proverbially putting your arms around them
00:35:15 Adam Ross
to making sure that they are equally invested.
00:35:18 Adam Ross
And you're allocating the time and investments necessary and acknowledging the importance of this business relationship yourself.
00:35:24 Adam Ross
Very informative.
00:35:25 Adam Ross
Felipe, coming back to you, because you've had the opportunity to work across the world, Latin America, EMEA, Middle East.
00:35:31 Adam Ross
And you talked a little bit about this when we kind of started our conversation a little bit.
00:35:36 Adam Ross
How does geographic and cultural complexity amplify supply chain risk?
00:35:40 Adam Ross
And are there any areas where internal audit
00:35:43 Adam Ross
can help address potential situations where that risk might be underestimated.
00:35:48 Filipe Ribeiro
I do believe that the geographic and the cultural complex is one of the most underestimated supply chain risks I've ever seen.
00:35:56 Filipe Ribeiro
On paper, global supply chains look standardized.
00:35:59 Filipe Ribeiro
We use the same ERPs, the same policy, the same approval workflows.
00:36:03 Filipe Ribeiro
So there is often an assumption that the risk is consistent everywhere, but geography and culture fundamentally change how this process operates.
00:36:12 Filipe Ribeiro
Each region brings its own regulatory environment and even its own risk tolerance.
00:36:17 Filipe Ribeiro
So what works smoothly in Europe may operate very differently in parts of Latin America and Middle East, even if the process map looks like the same on the paper.
00:36:27 Filipe Ribeiro
And if where the internal authors most often underestimates the impact of what I call informal workarounds.
00:36:35 Filipe Ribeiro
As we mentioned before, the local teams, they often create some manual steps to keep the operation running.
00:36:41 Filipe Ribeiro
alternative suppliers, verbal agreements, emergency logistic routes, especially in high volatile regions.
00:36:49 Filipe Ribeiro
And these workarounds reduce the operational disruption, but on the other side, increase governance and data risk.
00:36:56 Filipe Ribeiro
And I believe that we need to understand how this supply chain actually functions on the ground, how the goods move from one side to another, how the decisions are made under pressure, and how the local realities interact with the global governance that the company is expecting.
00:37:12 Filipe Ribeiro
In the global supply chain, I believe the risk rarely fails in the design, but it fails much more into the translation from the policy to the practice, from headquarters to the field.
00:37:22 Filipe Ribeiro
And that's exactly what I believe that we as internal authors, we can add the most value.
00:37:27 Adam Ross
So interesting.
00:37:28 Adam Ross
I know for sure, not so much related to direct materials, but we talk a lot in professional services just around the cultural differences associated with communications and decision-making.
00:37:39 Adam Ross
In the United States, it's a very direct culture.
00:37:42 Adam Ross
We say yes and no pretty freely and directly, where other cultures might say, yes, but.
00:37:47 Adam Ross
And that yes, but is a hard no.
00:37:49 Adam Ross
But if you don't know that yes, but means hard no, you get off the phone thinking, oh, we're good, but we might be delayed a little bit.
00:37:57 Adam Ross
Or it's a very hierarchical culture where individuals are deferential to their supervisors or make decisions more in a community.
00:38:05 Adam Ross
And it's super important to just understand how those decisions get made and what's actually being said with the words that people are using.
00:38:12 Adam Ross
And that doesn't even talk to some of those regulatory items or just how business gets done in a given geography.
00:38:18 Adam Ross
So really, really, really insightful, insightful thoughts there from someone that's done work across the world.
00:38:25 Adam Ross
Really interesting.
00:38:26 Adam Ross
Julian, coming back to you, know, someone that works with management all the time.
00:38:31 Adam Ross
to help reduce supply chain risk and improve performance.
00:38:35 Adam Ross
What are your thoughts on where internal audit can get more involved without compromising their independence?
00:38:44 Julien Perreault
Absolutely, and it's a tricky situation.
00:38:46 Julien Perreault
I think historically internal audit has this
00:38:48 Julien Perreault
misconception of the gotcha mentality, right?
00:38:51 Julien Perreault
Like, oh, we're gonna come in, ask a couple questions.
00:38:54 Julien Perreault
You know, you're usually trained to just answer the question that internal audit asks and don't expand past that.
00:38:59 Julien Perreault
Now, if you expand and you accidentally say something that's out of line, immediately a finding, and now that kind of has closed the door between those stakeholders and internal audit forever, right?
00:39:09 Julien Perreault
And I think moving forward, what I've seen a lot of internal audit organizations is,
00:39:15 Julien Perreault
having more of the conversation, again, not looking reactive and saying, we got you, did something wrong, you're going to get a slap on the wrist now.
00:39:23 Julien Perreault
It's more about understanding how and why those decisions were actually made to be able to help those organizations and those departments make the right decision moving forward and give kind of recommendations.
00:39:35 Julien Perreault
Again, it's not about owning the decision of what is right or wrong.
00:39:39 Julien Perreault
It's more about giving your recommendations and saying, this is where we think you can improve to actually make your organization and your department better.
00:39:45 Julien Perreault
Again, it's also across the organization, because I think a lot of times internal audit historically was looking vertically within each department.
00:39:53 Julien Perreault
Now it's much more of a horizontal, how are all of these departments connected?
00:39:57 Julien Perreault
Supply chain risks really rarely show up in just one place.
00:40:01 Julien Perreault
they come across from planning volatility, operational constraints, finance overruns, and compliance exposures that were not initially expected.
00:40:13 Julien Perreault
So by connecting all the dots, they're able to give a better recommendation overall.
00:40:17 Adam Ross
Okay, so I heard a few things that I think are worth repeating.
00:40:22 Adam Ross
One is, if you're not aware as internal auditors, individuals that are going to be undergoing an internal audit, often prep and possibly you're even giving coaching if you're not aware.
00:40:31 Adam Ross
That's quite common.
00:40:32 Adam Ross
And I just want to say thank you, Julian, for recognizing what we as internal auditors continually try to do individually and as a profession is our job is not to come and get people in trouble.
00:40:44 Adam Ross
Our job is to help come understand where the challenges are and help come up with pragmatic solutions to
00:40:50 Adam Ross
better manage risk and improve control and improve business performance.
00:40:53 Adam Ross
And that obviously it takes 2 to tango, right, to invite internal audit in to help before something has gone wrong.
00:41:01 Adam Ross
But it's also incumbent upon us as internal auditors to have that consultative mindset and not be just looking for a smoking gun.
00:41:09 Adam Ross
So thank you for that.
00:41:10 Adam Ross
Perspectives from a non-internal auditor, everyone.
00:41:13 Adam Ross
So thank you.
00:41:14 Adam Ross
Thank you.
00:41:15 Julien Perreault
No, and I think it's been a big shift already that I've seen within a lot of the clients that we serve.
00:41:19 Julien Perreault
We generally partner a lot with their internal auditors.
00:41:23 Julien Perreault
It's a big change.
00:41:24 Julien Perreault
And I think it's a good thing for the practice and the department within that organization.
00:41:29 Julien Perreault
You're getting more insights.
00:41:31 Julien Perreault
And the more insights you can get from your stakeholders, the better internal audit's going to be able to help you.
00:41:36 Adam Ross
Awesome.
00:41:37 Adam Ross
Love it.
00:41:38 Adam Ross
Julian, we'd like to stick with you since we're kind of talking about working with management to reduce supply chain risks.
00:41:44 Adam Ross
Felipe, also interested in your thoughts on this as well.
00:41:47 Adam Ross
When we think about the horizon, the next three to five years, what are certain supply chain risks that we think are going to continue to emerge or evolve?
00:41:55 Adam Ross
And where should internal audits start preparing to think about and react to those risks, even if leadership is not fully, have those fully contemplated and baked on their radars?
00:42:05 Julien Perreault
I think this comes as no surprise.
00:42:06 Julien Perreault
I think supply chains are going to become more and more digital, right?
00:42:09 Julien Perreault
I'm sure we could,
00:42:11 Julien Perreault
pretty proud of us.
00:42:12 Julien Perreault
We haven't said AI more than a handful of times on this podcast.
00:42:16 Julien Perreault
Typically, you hear AI talked about very, very frequently, but I think that is something that's coming very, you know, in the very near future here for supply chains as well.
00:42:25 Julien Perreault
But they're also going to become more constrained, more regulated, and more interdependent.
00:42:29 Julien Perreault
And without governance evolving at the same pace as with the changes that are happening, that's where the struggles are really going to happen.
00:42:37 Julien Perreault
Right.
00:42:37 Julien Perreault
As I mentioned before, there's a lot of these planning tools, not only for manufacturing, but also how do you move your goods across like the network design tools as well.
00:42:46 Julien Perreault
There's going to be a lot of AI in those platforms and making sure that you are auditing your AI outputs very regularly and, you know, diligently is very critical.
00:42:57 Julien Perreault
A lot of people are going to use the outputs that AI provides them as the truth.
00:43:01 Julien Perreault
And oftentimes, I'm sure even what you see with Copilot or ChatGPT, it makes its own assumptions, it jumps to its own thoughts, and that's scary, right?
00:43:09 Julien Perreault
You need to make sure that you understand the assumptions that your tools are making so that you have a better understanding of the outputs that are coming.
00:43:15 Julien Perreault
And I think that's really the biggest challenge that's going to happen is the pressure of AI and what it's doing to your day-to-day operations is going to be an important topic for internal audit moving forward.
00:43:26 Adam Ross
So soon to be gone are the days are a.
00:43:28 Adam Ross
grease stained thumbprinted receiving document that's just left on the dock that came with product being delivered.
00:43:35 Adam Ross
And it's, we're going to just see continued digitization of the supply chain, whether it be Internet of Things on pallets and SKUs and robots in distribution centers.
00:43:48 Adam Ross
And if I'm hearing you correctly, that's the type of things that you're referring to in terms of the evolution of risk is really the automation of the supply chain
00:43:58 Adam Ross
over the next couple of years.
00:44:00 Julien Perreault
Absolutely.
00:44:00 Julien Perreault
And what is the governance look from a cybersecurity perspective with all that information being on the cloud?
00:44:05 Julien Perreault
How do you make sure that only the right people see what they need to see?
00:44:09 Julien Perreault
I know that organizations have also started talking about blockchain a good bit as well.
00:44:13 Julien Perreault
You know, I know that was initially a cryptocurrency only thought, but it's actually coming to a reality for certain areas.
00:44:20 Julien Perreault
So how do you
00:44:22 Julien Perreault
start putting governance around these types of things is going to be critical.
00:44:26 Adam Ross
I've heard of blockchain being used more in the contracting space.
00:44:29 Adam Ross
Is that what you're referring to or somewhere else?
00:44:32 Julien Perreault
Contracting space, I mean, I think this is very far out, but also in the logistics space, right?
00:44:36 Julien Perreault
Understanding your bill of ladings and everything else across the whole supply chain going from a port in
00:44:44 Julien Perreault
Asia all the way through as it makes its way across to make sure that what is on the port or what was loaded off the port onto the boat and what comes off, the end-to-end visibility of that will be seen through that blockchain as well.
00:44:56 Julien Perreault
But again, very, very far out, I think, in my opinion.
00:44:59 Adam Ross
Interesting.
00:45:00 Adam Ross
Okay.
00:45:00 Adam Ross
Wow.
00:45:01 Adam Ross
Okay.
00:45:01 Adam Ross
Felipe, any other thoughts on emerging supply chain risks that should be on internal auditors' radars?
00:45:07 Filipe Ribeiro
I 100% agree with Julian.
00:45:08 Filipe Ribeiro
I believe that the automation is the nearest future that we have.
00:45:11 Filipe Ribeiro
And this automation always brings certain risks.
00:45:14 Filipe Ribeiro
And although everything can be automated, then also AI implemented, I think that everything still heavily depends on manual inputs.
00:45:23 Filipe Ribeiro
And as we know, the quality of the data that is manually inputted sometimes it's not the best one.
00:45:28 Filipe Ribeiro
And even if AI, you still have to train the model.
00:45:30 Filipe Ribeiro
And this bias and on this part of the automation that it can be something really good on the same time, it's going to become, I believe, the biggest risk in the supply chain.
00:45:40 Filipe Ribeiro
And when I talk, for example, about the agriculture sector, any decision made wrong at any part of the season can affect everything at the end of the season that you cannot correct during production, during the season.
00:45:53 Filipe Ribeiro
It's not like a production or a manufacturing that you can just stop the machine and start everything from the zero.
00:45:59 Filipe Ribeiro
On this season, there are crops that you have like five years that you have to crop.
00:46:03 Filipe Ribeiro
So any mistake that you do in your supply chain, this can definitely affect the whole crops and the whole yield estimation.
00:46:10 Filipe Ribeiro
And I still believe that these outcomes, these new technologies might represent a severe risk for us in the future.
00:46:18 Filipe Ribeiro
That we are not aware yet that we are going to feed our risk assessments with time and
00:46:23 Filipe Ribeiro
As long as we start testing and seeing the situations happening.
00:46:29 Adam Ross
I feel like I keep saying the next year is going to be interesting, and I just keep saying that over and over and over again.
00:46:34 Adam Ross
Every year is just faced with an accelerating amount of change and new challenges to understand and overcome.
00:46:41 Adam Ross
On that note, I'd very much like to thank
00:46:44 Adam Ross
our two colleagues here, Felipe and Julian, for spending the time and sharing their insights and perspectives on this important topic.
00:46:51 Adam Ross
And we wish you nothing but happy auditing when you're considering supply chain risks and all the great governance, risk management and controls that are out there to help keep that supply chain humming along.
00:47:03 Adam Ross
Have a great day.
00:47:04 The IIA
Thanks, Adam.
00:47:05 Filipe Ribeiro
Thank you.
00:47:05 Filipe Ribeiro
Thank you.
00:47:08 The IIA
Hey, audit pros.
00:47:09 The IIA
GAM is back March 9th through the 11th in Las Vegas.
00:47:12 The IIA
It's where internal audit leaders come together to talk governance, emerging risk, and what's next for the profession.
00:47:18 The IIA
If you want smart conversation, fresh ideas, and some great networking along the way, head to the IIA website and register for GAM today.
00:47:27 The IIA
If you like this podcast, please subscribe and rate us.
00:47:30 The IIA
You can subscribe wherever you get your podcasts.
00:47:33 The IIA
You can also catch other episodes on YouTube or at the iia.org.
00:47:37 The IIA
That's THEIIA.org.
